Rule ID
SV-279580r1192309_rule
Version
V1R1
CCIs
If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
Verify Nutanix OS prevents dictionary attacks. 1. For AOS, Prism Central, and Files, verify the "dictcheck" parameter is set to "1", or is commented out using the following command. $ sudo grep -i dictcheck /etc/security/pwquality.conf dictcheck = 1 2. For AHV, verify the output contains "pam_pwquality.so" with the option of "required" or "requisite" using the following commands. $ sudo grep pwquality.so /etc/pam.d/password-auth password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 authtok_type= If Nutanix OS VMs are not configured to prevent dictionary attacks, this is a finding.
Configure the use of complex passwords for Nutanix OS VMs. 1. For AOS, configure the use of complex passwords using the following command. $ sudo salt-call state.sls security/CVM/pamCVM.sls 2. For Prism Central, configure the use of complex passwords using the following command. $ sudo salt-call state.sls security/PCVM/pamPCVM.sls 3. For Files, configure the use of complex passwords using the following command. $ sudo salt-call state.sls security/AFS/pamAFS.sls 4. For Prism Central, configure the use of complex passwords using the following command. $ ncli cluster edit-hypervisor-security-params enable-high-strength-password=true